diff --git a/wise-webapp/src/main/java/com/wisemapping/config/mvc/MvcSecurityConfig.java b/wise-webapp/src/main/java/com/wisemapping/config/mvc/MvcSecurityConfig.java index d90cbdd1..620e78d0 100644 --- a/wise-webapp/src/main/java/com/wisemapping/config/mvc/MvcSecurityConfig.java +++ b/wise-webapp/src/main/java/com/wisemapping/config/mvc/MvcSecurityConfig.java @@ -18,14 +18,13 @@ public class MvcSecurityConfig { @Bean @Order(1) - public SecurityFilterChain embeddedDisabledXOrigin(@NotNull final HttpSecurity http, @NotNull final HandlerMappingIntrospector introspector) throws Exception { - final MvcRequestMatcher.Builder matcher = new MvcRequestMatcher.Builder(introspector); + public SecurityFilterChain embeddedDisabledXOrigin(@NotNull final HttpSecurity http, @NotNull final MvcRequestMatcher.Builder mvc) throws Exception { http .securityMatchers((matchers) -> - matchers.requestMatchers(matcher.pattern("c/maps/*/embed"))) + matchers.requestMatchers(mvc.pattern("/c/maps/*/embed"))) .authorizeHttpRequests( - (auth) -> auth.requestMatchers(matcher.pattern(("c/maps/*/embed"))).permitAll()) + (auth) -> auth.requestMatchers(mvc.pattern(("/c/maps/*/embed"))).permitAll()) .headers((header -> header.frameOptions() .disable() )) @@ -34,27 +33,31 @@ public class MvcSecurityConfig { return http.build(); } + @Bean + MvcRequestMatcher.Builder mvc(HandlerMappingIntrospector introspector) { + return new MvcRequestMatcher.Builder(introspector); + } + @Bean @Order(2) - public SecurityFilterChain mvcFilterChain(@NotNull final HttpSecurity http, @NotNull final HandlerMappingIntrospector introspector) throws Exception { - final MvcRequestMatcher.Builder matcher = new MvcRequestMatcher.Builder(introspector); + public SecurityFilterChain mvcFilterChain(@NotNull final HttpSecurity http, @NotNull final MvcRequestMatcher.Builder mvc) throws Exception { http .securityMatchers((matchers) -> - matchers.requestMatchers(matcher.pattern("/c/**"))) + matchers.requestMatchers(mvc.pattern("/c/**"))) .authorizeHttpRequests( (auth) -> auth - .requestMatchers(matcher.pattern("/c/login")).permitAll() - .requestMatchers(matcher.pattern("/c/logout")).permitAll() - .requestMatchers(matcher.pattern("/c/registration")).permitAll() - .requestMatchers(matcher.pattern("/c/registration-success")).permitAll() - .requestMatchers(matcher.pattern("/c/registration-google")).permitAll() + .requestMatchers(mvc.pattern("/c/login")).permitAll() + .requestMatchers(mvc.pattern("/c/logout")).permitAll() + .requestMatchers(mvc.pattern("/c/registration")).permitAll() + .requestMatchers(mvc.pattern("/c/registration-success")).permitAll() + .requestMatchers(mvc.pattern("/c/registration-google")).permitAll() - .requestMatchers(matcher.pattern("/c/forgot-password")).permitAll() - .requestMatchers(matcher.pattern("/c/forgot-password-success")).permitAll() - .requestMatchers(matcher.pattern("/c/maps/*/try")).permitAll() - .requestMatchers(matcher.pattern("/c/maps/*/public")).permitAll() - .requestMatchers(matcher.pattern("/c/**")).hasAnyRole("USER", "ADMIN") + .requestMatchers(mvc.pattern("/c/forgot-password")).permitAll() + .requestMatchers(mvc.pattern("/c/forgot-password-success")).permitAll() + .requestMatchers(mvc.pattern("/c/maps/*/try")).permitAll() + .requestMatchers(mvc.pattern("/c/maps/*/public")).permitAll() + .requestMatchers(mvc.pattern("/c/**")).hasAnyRole("USER", "ADMIN") .anyRequest().authenticated()) .formLogin((loginForm) -> loginForm.loginPage("/c/login") @@ -77,7 +80,7 @@ public class MvcSecurityConfig { .disable() )) .csrf((csrf) -> - csrf.ignoringRequestMatchers(matcher.pattern("/c/logout"))); + csrf.ignoringRequestMatchers(mvc.pattern("/c/logout"))); return http.build(); } @@ -93,7 +96,7 @@ public class MvcSecurityConfig { requestMatchers(matcher.pattern("/css/**")).permitAll(). requestMatchers(matcher.pattern("/js/**")).permitAll(). // @todo: Wht this is required ... - requestMatchers(matcher.pattern("/WEB-INF/jsp/*.jsp")).permitAll(). + requestMatchers(matcher.pattern("/WEB-INF/jsp/*.jsp")).permitAll(). requestMatchers(matcher.pattern("/images/**")).permitAll(). requestMatchers(matcher.pattern("/*")).permitAll() ).build(); diff --git a/wise-webapp/src/main/java/com/wisemapping/config/rest/RestAppConfig.java b/wise-webapp/src/main/java/com/wisemapping/config/rest/RestAppConfig.java index 092fd7d6..f153a1bd 100644 --- a/wise-webapp/src/main/java/com/wisemapping/config/rest/RestAppConfig.java +++ b/wise-webapp/src/main/java/com/wisemapping/config/rest/RestAppConfig.java @@ -4,10 +4,6 @@ import org.jetbrains.annotations.NotNull; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ComponentScan; -import org.springframework.context.annotation.ImportResource; -import org.springframework.core.annotation.Order; -import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; -import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; @@ -21,39 +17,27 @@ import static org.springframework.security.config.Customizer.withDefaults; @SpringBootApplication @EnableWebSecurity -//@ImportResource(value = {"classpath:spring/wisemapping-rest.xml"}) @ComponentScan({"com.wisemapping.rest"}) public class RestAppConfig { @Bean - @Order(2) - SecurityFilterChain apiSecurityFilterChain(@NotNull final HttpSecurity http, @NotNull final HandlerMappingIntrospector introspector) throws Exception { -// final MvcRequestMatcher.Builder matcher = new MvcRequestMatcher.Builder(introspector).servletPath("**"); -// return http -// .securityMatchers((matchers) -> -// matchers.requestMatchers(matcher.pattern(("/**")))) -// .authorizeHttpRequests(auth -> auth -// .requestMatchers(matcher.pattern("api/restfull/users/")).permitAll() -// .requestMatchers(matcher.pattern("api/restfull/users/resetPassword")).permitAll() -// .requestMatchers(matcher.pattern("api/restfull/oauth2/googlecallback")).permitAll() -// .requestMatchers(matcher.pattern("api/restfull/oauth2/confirmaccountsync")).permitAll() -// .requestMatchers(matcher.pattern("api/restfull/admin/**")).hasAnyRole("ADMIN") -// .requestMatchers(matcher.pattern("/**")) -// .authenticated() -//// .hasAnyRole("USER", "ADMIN") -// ) -// .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) -// .httpBasic(withDefaults()) -// .csrf(AbstractHttpConfigurer::disable) -// .build(); - - http.csrf().disable() - .authorizeHttpRequests() - .anyRequest() - .authenticated() - .and() - .httpBasic(withDefaults()); - return http.build(); + MvcRequestMatcher.Builder mvc(HandlerMappingIntrospector introspector) { + return new MvcRequestMatcher.Builder(introspector); + } + @Bean + SecurityFilterChain apiSecurityFilterChain(@NotNull final HttpSecurity http, @NotNull final MvcRequestMatcher.Builder mvc) throws Exception { + return http + .authorizeHttpRequests(auth -> auth + .requestMatchers(mvc.pattern("/api/restfull/users/")).permitAll() + .requestMatchers(mvc.pattern("/api/restfull/users/resetPassword")).permitAll() + .requestMatchers(mvc.pattern("/api/restfull/oauth2/googlecallback")).permitAll() + .requestMatchers(mvc.pattern("/api/restfull/oauth2/confirmaccountsync")).permitAll() + .requestMatchers(mvc.pattern("/api/restfull/admin/**")).hasAnyRole("ADMIN") + .requestMatchers(mvc.pattern("/**")).hasAnyRole("USER", "ADMIN") + .anyRequest().authenticated() + ) + .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) + .httpBasic(withDefaults()) + .csrf(AbstractHttpConfigurer::disable) + .build(); } - - }